Self-drive car rental platform Zoomcar has disclosed a significant cybersecurity breach, revealing that personal data of approximately 8.4 million users was accessed by a hacker. The Nasdaq-listed company reported the incident to the U.S. Securities and Exchange Commission (SEC) on June 9.
The exposed data reportedly includes users’ names, phone numbers, car registration details, email addresses, and home addresses. However, Zoomcar clarified that there is no evidence suggesting the leak of sensitive information such as financial details or passwords.
“The company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorised access to company data. Upon discovery, the company promptly activated its incident response plan,” Zoomcar stated in its SEC filing.
The Bengaluru-headquartered firm claims to have a user base exceeding 10 million across 99 Indian cities. Following the breach, Zoomcar said it had notified regulatory and law enforcement bodies and initiated steps to bolster its cybersecurity framework. These include implementing enhanced safeguards across its cloud infrastructure and internal systems, increasing network monitoring, and auditing access permissions.
However, the company has not confirmed whether it has directly informed affected users or shared specific details about the scale of the breach. Attempts to reach Zoomcar for comment are ongoing, and updates will follow upon receiving a response.
The incident adds to a growing wave of cyber threats in India. Just a day before, it was reported that fraudsters had created a fake food delivery website under the name “Jio Eat,” impersonating brands from Reliance to deceive users.
According to India’s finance ministry, the first ten months of FY25 saw around 2.4 million cases of digital fraud, amounting to losses of INR 4,245 crore.
Troubles Beyond Cybersecurity
Founded in 2013 by David Back and Greg Moran, Zoomcar operates a marketplace model connecting car owners with renters seeking self-drive vehicles. The company went public on the Nasdaq in December 2023 through a SPAC (Special Purpose Acquisition Company) merger.
The cyber incident comes at a turbulent time for the company. Zoomcar has faced mounting financial pressure, leadership changes, and legal challenges. Earlier this year, former CEO Hiroshi Nishijima outlined a turnaround strategy focused on expanding services, securing new capital, and slashing costs. However, Nishijima exited in May, and was succeeded by former Uber executive Deepankar Tiwari.
Financially, the company managed to cut its net loss by 45% in Q4 2024, reporting $7.9 million in losses compared to $14.4 million in the same period the previous year. This improvement stemmed largely from a steep 60% reduction in expenses. However, revenue remained stagnant at $2.5 million, up only slightly from $2.4 million a year earlier.
Despite cost-cutting efforts, Zoomcar’s balance sheet remains precarious. As of the end of 2024, it had a negative working capital of $40.8 million. In a February filing, the company warned:
“The company’s cash position is critically deficient and critical payments to the operational and financial creditors of the company are not being made in the ordinary course of business, all of which raises substantial doubt about the company’s ability to continue as a going concern.”
The company added that it anticipates further losses over the next year and intends to raise additional capital to stay afloat.
“Management has evaluated the significance of the conditions described above in relation to the company’s ability to meet its obligations and concluded that, without additional funding, the company will not have sufficient funds to meet its obligations within one year from the date the condensed consolidated financial statements are issued,” the filing stated.
